VMSA-2019-0020:VMware ESXi, Workstation, and Fusion patches provide Hypervisor-Specific Mitigations for Speculative-Execution Vulnerabilities
23565
10 November 2019
10 November 2019
CLOSED
MEDIUM
6.5
CVE-2018-12207,CVE-2019-11135
VMware Security Advisories
| Advisory ID | VMSA-2019-0020 |
| Advisory Severity | Moderate |
| CVSSv3 Range | 6.5 |
| Synopsis | VMware ESXi, Workstation, and Fusion patches provide Hypervisor-Specific Mitigations for Denial-of-Service and Speculative-Execution Vulnerabilities (CVE-2018-12207, CVE-2019-11135) |
| Issue Date | 2019-11-12 |
| Updated On | 2019-11-12 (Initial Advisory) |
| CVE(s) | CVE-2018-12207, CVE-2019-11135 |
1. Impacted Products
- VMware ESXi
- VMware Workstation
- VMware Fusion
2. Introduction
Vulnerabilities have been disclosed which affect Intel processors:
- CVE-2018-12207 - Machine Check Error on Page Size Change (MCEPSC)
- CVE-2019-11135 - TSX Asynchronous Abort (TAA)
VMware Hypervisor patches are available which provide mitigation options for both CVE-2018-12207 and CVE-2019-11135.
3a. Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change (MCEPSC) Denial-of-Service vulnerability (CVE-2018-12207)
Description:
VMware ESXi, Workstation, and Fusion patches include Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change (MCEPSC). VMware has evaluated this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors:
A malicious actor with local access to execute code in a virtual machine may be able to trigger a purple diagnostic screen or immediate reboot of the Hypervisor hosting the virtual machine, resulting in a denial-of-service condition.
Resolution:
To mitigate CVE-2018-12207 please refer to the 'Response Matrix' below. First apply all patches listed in the 'Fixed Version' column and then follow the instructions found in the KB article in the 'Additional Documentation' column for your respective product.
Workarounds:
None.
Additional Documentation:
Because the mitigations for CVE-2018-12207 may have a performance impact they are not enabled by default. After applying all patches from the 'Fixed Version' column below mitigation can be enabled by following the instructions found in the KB article in the 'Additional Documentation' column for the product. Performance impact data found in KB76050 should be reviewed prior to enabling this mitigation.
Notes:
None.
Acknowledgements:
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| ESXi | 6.7 | Any | CVE-2018-12207 | 6.5 | Moderate | ESXi670-201911401-BG ESXi670-201911402-BG | None | KB59139 |
| ESXi | 6.5 | Any | CVE-2018-12207 | 6.5 | Moderate | ESXi650-201911401-BG ESXi650-201911402-BG | None | KB59139 |
| ESXi | 6.0 | Any | CVE-2018-12207 | 6.5 | Moderate | ESXi600-201911401-BG ESXi600-201911402-BG | None | KB59139 |
| Workstation | 15.x | Any | CVE-2018-12207 | N/A | N/A | Unaffected | N/A | N/A |
| Fusion | 11.x | Any | CVE-2018-12207 | N/A | N/A | Unaffected | N/A | N/A |
3b. Hypervisor-Specific Mitigations for TSX Asynchronous Abort (TAA) Speculative-Execution vulnerability (CVE-2019-11135)
Description:
VMware ESXi, Workstation, and Fusion patches include Hypervisor-Specific Mitigations for TSX Asynchronous Abort (TAA). VMware has evaluated this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors:
A malicious actor with local access to execute code in a virtual machine may be able to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself. This vulnerability is only applicable to Hypervisors utilizing 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) microarchitecture.
Resolution:
To mitigate CVE-2019-11135 apply all patches listed in the 'Fixed Version' column found in the 'Response Matrix' below.
Workarounds:
None.
Additional Documentation:
None.
Notes:
None.
Acknowledgements:
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| ESXi | 6.7 | Any | CVE-2019-11135 | 6.5 | Moderate | ESXi670-201911401-BG ESXi670-201911402-BG | None | None |
| ESXi | 6.5 | Any | CVE-2019-11135 | 6.5 | Moderate | ESXi650-201911401-BG ESXi650-201911402-BG | None | None |
| ESXi | 6.0 | Any | CVE-2019-11135 | 6.5 | Moderate | ESXi600-201911401-BG ESXi600-201911402-BG | None | None |
| Workstation | 15.x | Any | CVE-2019-11135 | 6.5 | Moderate | 15.5.1 | None | None |
| Fusion | 11.x | Any | CVE-2019-11135 | 6.5 | Moderate | 11.5.1 | None | None |
4. References
Fixed Version(s) and Release Notes:
ESXi 6.7 Patch Release ESXi670-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201911001.html
ESXi 6.5 Patch Release ESXi650-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201911001.html
ESXi 6.0 Patch Release ESXi600-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201911001.html
VMware Workstation 15.5.1
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Fusion 11.5.1
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
Additional Documentation:
https://kb.vmware.com/s/article/59139
FIRST CVSSv3 Calculator:
CVE-2018-12207 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVE-2019-11135 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135
5. Change log
2019-11-12: VMSA-2019-0020
Initial security advisory detailing Hypervisor-Specific Mitigations for CVE-2018-12207 and CVE-2019-11135 in VMware ESXi, Workstation, and Fusion.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.